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Abstract 

This paper presents two kinds of division polynomials for twisted Edwards curves. 
Their chief property is that they characterise the n-torsion points of a given twisted 
Edwards curve. We also present results concerning the coefficients of these polynomials, 
which may aid computation. 

1 Introduction 

The famous last entry in the diary of Gauss concerns the curve with equation 

x 2 + y 2 + x 2 y 2 = 1 (1) 

and its rational points over F p . This curve is related to the elliptic curve y 2 = 4x 3 — 4x. 

The idea of division polynomials on a curve with a group law on its points, is that we 
try to write down a formula for [n]P in terms of the coordinates of P, where [n] P denotes 
P added to itself n times under the group law. In this paper we shall give two distinct 
solutions to this problem, in the general context of twisted Edwards curves, of which (pTJ) 
is a special case. 

Edwards |5J, generalising (TTJ), introduced an addition law on the curves x 2 + y 2 = 
c 2 (l + x 2 y 2 ) for c S k, where k is a field of characteristic not equal to 2. He showed that 
every elliptic curve over k is birationally equivalent (over some extension of k) to a curve 
of this form. 
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In [3], Bernstein and Lange generalised this addition law to the curves x 2 +y 2 = l+dx 2 y 2 
for d £ k\ {0, 1}. More generally, they consider x 2 + y 2 = c 2 (l + dx 2 y 2 ), however, any 
such curve is isomorphic to one of the form x 2 + y 2 = 1 + d'x 2 y 2 for some d! 6 /c, so we 
will assume c = 1. These curves are referred to as Edwards curves. Bernstein and Lange 
showed that if k is finite, a large class of elliptic curves over k (all those which have a point 
of order 4) can be represented in Edwards form. The case d = — 1 gives the curve (pQ) 
considered by Gauss. 

In [2], Bernstein et al. introduced the twisted Edwards curves ax 2 + y 2 = 1 + dx 2 y 2 
(where a, d E k are distinct and non-zero) and showed that every elliptic curve with a 
representation in Montgomery form is birationally equivalent to a twisted Edwards curve. 
Obviously, the case a = 1 of a twisted Edwards curve is an Edwards curve. 

In this paper we describe a sequence of rational functions, and consequently a sequence 
of polynomials, defined on the function field of a twisted Edwards curve which are analogous 
to the division polynomials for elliptic curves in Weierstrass form. In particular, these 
polynomials characterise the n-torsion points of the twisted Edwards curve for a positive 
integer n (see Cor pilar v 1 5 . 2 1 and Corollarv l7.2p . These twisted Edwards division polynomials 
are polynomials in y with coefficients in Z[a, d], and have degree in y less than n 2 /2. 

This paper is laid out as follows. In Section 2 we recall division polynomials for elliptic 
curves in Weierstrass form. Section 3 recalls the basic properties of twisted Edwards curves. 
In Section 4, on the function field of an Edwards curve, Theorem 14.11 proves a uniqueness 
form for elements of the function field of an Edwards curve, ctiicilci gous to the known result 
that elements of the function field of a Weierstrass curve can be written uniquely in the 
form p(x) + yq(x). Our division polynomials (actually rational functions) are presented in 
this unique form. Section [6] compares our results to those of Gauss for the curve (pQ). In 
Section [7] we isolate the important part of the Edwards division rational functions, which 
are polynomials that could be called Edwards division polynomials. Furthermore, we show 
in Section [8] that the coefficients of a given twisted Edwards division polynomial exhibit 
a certain symmetry, which may reduce the amount of computation necessary for finding 
that polynomial. In Section [9J we derive a different set of polynomials which also display 
some properties we require from division polynomials. These have a different character to 
the first set, since the nth polynomial is defined by a recursion on the n — 1th and n — 2th 
polynomials, as opposed to polynomials of index ~ 5. 

2 Division polynomials for Weierstrass Curves 

We recall the division polynomials for Weierstrass curves here. 

First we recall the definition of the function field of an (affine) algebraic variety. If 
V/k is a variety in affine n-space, I(V) denotes the ideal generated by the polynomials in 
k[x\, . . . , x n ] that vanish on V. The affine coordinate ring of V is the integral domain 

k[V] :=k[x 1 ,...,x n ]/I(V). 
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The function field of V over k, denoted by k(V), is defined to be the quotient field of k[V]. 

For example, if W is an elliptic curve with Weierstrass equation v 2 = u 3 + Au + B, the 
function field of W, kiW), is the quotient field of k[u, v]/(v 2 — u 3 — Au — B). 

We use (u,v) as the coordinates for a curve in Weierstrass form and reserve (x,y) for 
(twisted) Edwards curves. 

If char(k) ^ 2 or 3, given an elliptic curve over k in short Weierstrass form 

W : v 2 = u 3 + Au + B 

with identity O , the division polynomials *$> n are polynomials defined on the function field 
of W for each n G N by the following recursion: 





'u. 


v) 


= 








v) 


= 1 
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v) 


= 2v 






>) 


v) 


= 3u 4 + 6Au 2 + 12Bu - A 2 






% 


v) 


= Av(u 6 + 5Au 4 + 20Bu 3 - 5A 2 u 2 - 


- - A 3 - 8B 2 ) 






v) 


= ^ m+ 2{u,v)^ 3 m (u,v) - y m -x(u,v] 


)^ +1 (u,v) for m > 2 


*2m< 


% 


v) 




- ^ m _ 2 (n,u)^ +1 (n,w 



for m > 3. 

The ^ n are polynomials in u and v with coefficients in ZL4, B]. The principal properties 
of the division polynomials are that *$> n (u,v) = precisely when (u,v) is an n-torsion 
point of W (i.e. [n](u,v) = O), and that the multiplication-by-n map [n] : W — > is 
characterised by the division polynomials as 



[n](u,v) 



U^ 2 n (u,v) - ^ n ^l(u,v)^/ n+1 (u,v) ^2n{u,v) 



(see e.g. [9], Chapters 3 , 9, [8j, Chapter 3). If n is odd then ^> n € Z[u,A,B], and ^> n has 
degree (n 2 — 1) /2 in u. If n is even then \I> n G t>Z[u, vl, B] with degree (n 2 — 4)/2 in it. In 
this paper we prove analagous results for twisted Edwards curves. 

3 Twisted Edwards Curves 

Let k be a field with characteristic ^ 2 or 3. Let K be an extension field of k. Let E{K) 
be the twisted Edwards curve over K with coefficients a and d, where a and d are distinct 
and non-zero: 

E{K) :ax 2 + y 2 = l + dx 2 y 2 . 
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Points on E(K) may be added by the rule 

, x , / \ ( xiy 2 + x 2 yi yiy 2 - axix 2 \ 

{xi,yi) + (x 2 ,y 2 ) = rr—j , z — -, 

VI + dx\x 2 y x y 2 1 - dx\x 2 y\y 2 ) 

and under this operation, the points on E(K) form an abelian group. The identity is 
(0, 1), and the additive inverse of a point (x, y) is (—x, y). The projective closure of E has 
singularities at (1 : : 0) and (0:1:0). 

The twisted Edwards curve E{K) is birationally equivalent to the Weierstrass-form 
elliptic curve 

TIT/T „ o i (a 2 + Uad + d 2 ) (a 3 - 33a 2 d - 33ad 2 + d 3 ) 

W(K) :v 2 =u i - -u - 

v ; 48 864 

under the transformation 
otherwise 

(x,y) = (0,1) => (u,v) = 
(x,y) = (0,-l)^(u,v) = (^,0 
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The inverse transformation is given by 



6u — (a + d) 12u + d — 5a .„„ „ ,. . „ 

y = if v(12u + a - 5d) ^ 



6w 12u + a — 5d 

and 

(«,„) = = (0,1) 

(u,v) = (^,o) =>(x,y) = (0,-l). 

There are 4 points on W(fc) that are not mapped to any point on the twisted Edwards 
curve. These are (u,v) = ±£^pl) and = ( ~ (o +ff ±6f , o) where s,t & k 

such that s 2 = d,t 2 = ad. We note that ^ ~( a +^)± 6t ; are p i n t s of order 2 on W, and 

(^T?' ^^T^) are P°i nts °f order 4 on VF. Had we defined the birational equivalence 
between the projective closures of W and E, the points (5d — a : ±3s(d — a) : 12) of W 
would map to the singular point (0:1:0) of E, while the points (— (a + d) ± 6t : : 12) of 
W would map to the singular point (1:0:0) of E. 
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4 The Function Field of a Twisted Edwards Curve 

For Weierstrass curves W : v 2 = u 3 + Au + B it is well known (see [8] for example) that 
an element of the function field K(W) can be written uniquely in the form 

p(u) + v q(u) 

where p(u), q{u) are polynomials in u. 

We will prove an analogous result for twisted Edwards curves E. Not surprisingly, 
rational functions are needed in place of the polynomials. We use the notation ordp(/) to 
denote the valuation of a function / 6 K{E) at a point P. 

Theorem 4.1 Any function g € K(E) can be written uniquely as 

g(x,y) =p(y) + xq(y) 

where p{y), q(y) are rational functions in y. 

Proof: Let f(x,y) = be the equation defining E, where 

f(x, y) = ax 2 + y 2 — 1 — dx 2 y 2 . 

In K(E) we have 



x 2 



i-y z 



a — dy 2 

If g(x,y) € K(E), by replacing every occurence of x 2 by this rational function in y it 
follows that g(x, y) can be written in the form 

A(y)+xB(y) 
C{y)+xD{y) 

where A,B,C,D are rational functions. Multiplying above and below by C{y) — xD(y), 
and replacing each x 2 by ^Zd y '± shows that g can be written in the stated form. This proves 
existence. 

Suppose for the sake of contradiction that this expression for g is not unique. Then 
A(y) + xB(y) = for some nonzero rational functions A(y), B{y). So 

B{y) 

which implies 

°rd(o,i)2; = ord (0j i)A(y) - oid (0A) B(y). (2) 

We obtain our contradiction by showing that the right-hand side of equation ([2]) is even, 
but the left-hand side is equal to 1. 
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We expand at (0, 1) and we get 



f(x, y + 1) = ax 2 + (y + l) 2 - 1 - dx 2 (y + l) 2 

= ax 2 + y 2 + 2y — dx 2 y 2 — 2dx 2 y — dx 2 . 

This shows that the line x = is not a tangent at (0, 1), so x is a local uniformizer there. 
Then 

/Or, + 1) = (a-d)x 2 

which implies ord( ,i)(y — 1) = 2 ord( 0j i)(x) = 2. 

When computing oTd( ^A(y), we translate (0, 1) to the origin, and write A(y+1) = 
for some polynomials a(y), b(y). Then 



or 



d(a,i) A (y) = ord (o,o)a(y) - ord (0 ,o)%)- 



Of course, after translation we have ord( ,o)(y) = 2. 

Let no be the degree of the term of smallest degree in a(y), and similarly let mo be 
the degree of the term of smallest degree in b(y). Then ord(o,o)a(y) = ( or d(o,o)2/) n o = 2no, 
and similarly, ord( 0j o)^(y) = 2mo- Thus ordm,i)^(y) = 2(no — mo), which is even. 

Similarly, ord(o,i)-E?(z/) is even. This proves that the right-hand side of ([2]) is even, and 
we are done. □ 



Corollary 4.2 Any function g £ K{E) can be written uniquely as 

g{x,y) =p'(y) + -q'(y) 

x 

where p'(y), q\y) are rational functions in y. 

Proof: This follows from the Theorem 14.11 and the fact that 

1 1-y 2 
x = — 



x a — dy 2 

on the function field of E. In fact p'{y) is equal to p(y), using the notation of Theorem 
ICT and 

1 — y 2 

= — x~2 s(y)- 

a — dy A 

□ 
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5 Division Rational Functions on Twisted Edwards Curves 

We define the following rational functions tjj n (x,y) on the function field of E recursively 
for n > 0: 



tpo(x,y) ■= 
tpi(x,y) := 1 



(o-d)(l + y) 



ip4:(x,y) 



x(2(l-y)) 
(a - d) 3 (a + 2ay - 2dy 3 - dy 4 ) 

(2(i -y)Y 

2(a-dfy(l + y)(a-dy 4 ) 



x((2(l -y)Y 

ip 2m +i(x,y) := ^ m+2 (x,y)^(x,y) - ^ m _i(x, y) for m > 2 

i>2m{x,y) ■= ^(^'^ (^+2(^)^-1(^2/) -^-2(^^)^+1(^,2/)) for m > 3. 

These functions are not defined at the points (0,1) and (0,-1). We point out that 
these elements of the function field K(E) are in the unique form given in Corollary 14.21 
For n > 1, we also define 



, , \ (! + y)i^{x,y) fal) n -x(x,y)ij) n+ x(x,y) 
4>n{x,y) := 



and uj n (x,y) := 



(1 -y) {a- d) 

2ip2n{x,y) 



(a - d)ip n (x,y) 

Next we show that these rational functions arise in the multiplication- by-n map. 
Theorem 5.1 Let (x,y) be a point in E(k) \ {(0, 1), (0, —1)} and n > 1 an integer. Then 
ri / \ { 4>n{x,y)4>n(x,y) <p n (x,y) - ipl(x,y)' 



u n (x,y) ' 4> n {x,y) + rp 2 (x,y)J ' 

Proof: Compute the division polynomials for the Weierstrass elliptic curve from Section 
[31 W : v 2 = u 3 + Au + B, where 

(a 2 + Uad + d 2 ) (a 3 - 33a 2 d - 33ad 2 + d 3 ) 

48 ' 864 
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We get 



*o(«, 


«) 


= 




*i(u, 


V) 


= 1 






v) 


= 2v 




*s(«, 


v) 


= 3u 4 + 


6Au 2 + 12Bu - A 2 




v) 


= Av{u 6 


+ 5Au 4 + 20Bu 3 - 5A 2 u 2 - AABu - A 3 - 8B 2 ) 


*2m+l(^, 


V) 


= 


(u,v)^(u,v) - ^ m _i(u,w)^ +1 (u,i;) for m > 2 




V) 


_ ^ m (u 
V 2 {u. 


v) 
' v ) 



for m > 3. 



Substituting 

(a 2 + Uad + d 2 ) (a 3 - 33a 2 - 33ad 2 + d 3 ) 

./i — , -D — £111 Q 

48 ' 864 

_ (5a - d) + (a - 5a> (a - d)(l + y) 

12(1 -y) ' 4x(l-y) ' 

for the cases 0, 1, 2, 3, 4 we see that ^i(u, v) = ^>j(x, y) for i = 0, 1, 2, 3,4. Hence, as the 
recursion relations for the two sets of functions ^(u, v) and ipi(x, y) are identical for i > 5, 
we have that u) = ip n (x,y) for all integers n > 0. 

From here on we will use the abbreviated notations ip n for ip n (x, y), <p n for 4> n (x, y) and 
u n for u n (x,y). Let (x n ,y n ) = [n](x,y), and (n n ,w„) = [n] w (u,v). 

From the properties of the division polynomials, 

*„_l(«,t;)* n+ l(«,v) *2n(u,t>) 
U n = U 



* 2 («,*;) ' " 2^( UjU ) = 
i.e., 

_ _ ^n-l^n+l _ V>2n 

U n — U „ , W n — . , 

V'n 2 ^ 

and, applying the birational equivalence gives 

6u n — (a + d) 12u n + <i — 5a 

6v n ' ^ n 12u n + a — 5a" 



2ip* (5a — d+ (a — 5d)y ipn-i^n+i a + d 

V 12(1 -y) Y£ e - 

Vj/(a-d)(l + ^ 2 

V> 2 „ V 2(1 -y) ^ ^ n+1 
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while 



UJr. 



1 + 2/ 



2^ vVi-y/ 

g na-d)(l + y)rt 
V>2„ V 2(1 - y) 



4^ n _iV; w+ i 
a — d 



2^-1^+1 J 



Also, 



and 



so 



and 



12u ra + d — 5a 
^ n 12u n + a — 5d 



12n TO + d-5a= 5Q - d + (a - 5 ^ -12^l|li±l + d-5a 

I 1 - 2/) V'n 

^ 6(a - a> _ ^w-Wvh-i 
1-2/ ^ 

12n ra + a-5d= 6(a - d) -12 ^ W+1 
1-2/ ^„ 

= (a - <Q#% - 2(1 - y)y; w _iy> n+ i 
(a - d)ip% - 2(1 - y)ip n -iipn+i 

, 2 f izbM^ ^2 _ 4^n-l^n + l _ ^ 



2/n 



2 



6„ + ^ (±±§)^-%^+^ 

= (a - d)yipl - 2(1 - y)^ n ^ n+1 
(a - d)^l - 2(1 - y^n-iVv+i 



Hence 



[n](x,y) 



4>n(x,y)^n(x,y) 4>n(x,y) - j>j{x,y) 

u n (x,y) ' </)n(x,y) +i^l(x,y) 



□ 



Corollary 5.2 Zei P = be in E(k) \ {(0, 1), (0, -1)} and let n > 1. T/ien P is an 

n-torsion point of E if and only if tp n (P) = 0. 
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Proof: Since the identity is (0, 1), the result is clear from Theorem 15.11 □ 

So the ifi n (x, y), though they are rational functions, can be seen as analogues of division 
polynomials. Here are the first seven i/j n (x,y): 

V>o = 

ik = 1 

_ (q-rf)(y + l) 
V2 x(2(l-y)) 

(a - df{-dy 4 - 2dy 3 + 2ay + a) 

(2(1 -y)f 

_ 2(a - d) 6 (-dy 6 - dy 5 + ay 2 + ay) 

*((2(1 -2/)) 7 
_ (a - df{d?y 12 - 2d 3 y u + ■■■ + 2a 3 y - a 3 ) 
(2(1 -y))U 

(a - d) 13 (-d 4 y 17 - d 4 y 16 + (4ad 3 + 4d 4 )y 15 + • • • + (4a 3 d + 4a 4 )y 2 - a 4 ?/ - a 4 ) 
^ x((2(l-y)P ■ 

As we said earlier, these elements of the function field K(E) are in the unique form 
given in Corollary 14.21 

The apparent patterns here are proved in theorem 1 7 . 1 1 b elow . 

6 Gauss's notes 

We mention here how Gauss's formulas (see Fig 1) are incorrect, although they are close 
to being correct. Essentially the only errors are sign errors. 

One can see that Gauss calls the point (s, c) and sin lemn nip denotes the x coordinate 
of [n](s,c), and cos lemn nip denotes the y coordinate of [n](s, c). 

We represent our formulas in the unique form given by Theorem 14.11 

Our division polynomial formulas applied to the curve ([1]) give 

/2 £ c(c 2 + l) -c 4 -2c 2 + l ^ 
[2](g ' c) = ( c 4 + l ' c 4 -2c 2 -l J 

which we can see agree with Gauss's formula for twice the point in terms of c. However, 
there is an error in Gauss's formula for cos lemn 2cp in terms of s, which should be 

1 - 2s 2 - s A 
1 + 2s 2 - s 4 
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A sign error also occurs in the denominator of the sin lemn 5ip formula (coefficient of 
s 12 should be -12), and six times in the cos lemn 4y> formula, which should read 



16 



cos lemn4</9 



1 - 8s 2 - 12s 4 - 8s 6 + +38s 8 + 8s 10 - 12s 12 + 8s 14 + s 
1 + 8s 2 - 12s 4 + 8s 6 + 38s 8 - 8s 10 - 12s 12 - 8s 14 + s 16 



We note that these sign errors break the apparent "reverse symmetry" between the 
coefficients of the numerator and denominator. This symmetry, proved by Abel pQ, is 
explained in greater detail in Chapter 15 of [4J. 

For the general case, Gauss gave some information on the x coordinate of [n](s,c), but 
not the y coordinate. 



7 Division Polynomials 

The next theorem isolates the key polynomial in the numerator of ip n , which we call ip(y)- 
These polynomials could also be called the division polynomials for twisted Edwards curves. 



Theorem 7.1 We have 



where 



and 



and 



' (a - df^My) /{2{l - y)) m ^ if n is odd 
(a - d) k ^ip n {y)/x(2(l - y)) m(n) if n is even 



m(n) 



if n is odd 



n 1 — 1 -r 

— 2 — y n ls even 
3n 2 



k(n) 



My) = o 
^i(y) = i 
i>i{y) = y + 1 

My) = ~dy A - 2dy 3 + 2ay + a 

My) = -My + i)(rfy 4 - a) = -2d y 6 - 2d y 5 + 2 ay 2 + 2 ay , 
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^2r+l(2/) 



^H2z&Mmm _ ^ r _ l{ y)$ +li y) lfr ^0 (mod 4), r > 4 



r + 1 



4(a-dy 2 ) 2 4> r+2 (y)ipr (y) 

3^ _ Ha-d.)(a-dy 2 ) 2 ipr-i(yy^ +1 (y) 



A+2(ym(y) - 



i/r = l (mod 4), r>5 

^ r _i(y)V5 ? 3 +1 (y) i/r = 2 (mod 4), r > 2 
i/r = 3 (mod 4), r > 3 



and 



^2r(2/) 



|M [y r+2 {y)tf_M -^_ 2 (y)^ +1 (y) 
|M ( (a _ d^fo^y) - ^_ 2 (y)Vv 2 +1 (y)^ 



Vv(y) 

2/+1 



i>r{y) 

y+l 



(^r+2(y)^r-l(i/) ~ A-2(y)4>r+l(y)) 



ifr = (mod 4), r > 4 
if r = 1 (mod 4), r > 5 
if r = 2 (mod 4), r > 6 



Yv+ 2 (y)^-i(y) - (a-d)^r-2(y)V?+i(y)) »/r = 3 (mod 4), r > 3. 



Proof: 

First observe for all * € 
m(4*) = 
m(4* ± 1) = 
m(4t ± 2) = 
m(4* ± 3) = 



Z, * > 0, 

16* 2 - 2 
2 

(4* ± l) 2 



= 8r - 1 



16£ 2 ± 8* 



2 2 
(4* ± 2) 2 - 2 16£ 2 ± 16* + 2 



2 2 
(4* ± 3) 2 - 1 16£ 2 ± 24* + 8 



= 8t z ± 4* 

8* 2 ± 8* + 1 



8r ± 12* + 4 



and 



fc(4t) 
fc(4* ± 1) 
fc(4t ± 2) 
fc(4* ± 3) 



3(4*) 5 



= [6t 2 J = 6t 2 



3(4* ± l) s 



3(4* ± 2) J 



3(4* ± 3) 5 



6* 2 ± 3* + 



12 



6* 2 ± 6* + 



n 27 

6* 2 ± 9* + — 



6* 2 ± 3* 



6* 2 ± 6* + 1 



6* 2 ± 9* + 3. 



The proof is by induction. The claim is true for n = . . . 4. 
Assume true for ... n — 1 
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Case 1: n = (mod 8) i.e. n = 81 for some I G Z. Let r = 4/. 
By definition, 

^2 

(a _ d)*M-i^ r / (a - (0 fc(r+2)+2fc(r - 1) ^r+2#_i (a - rf)fc(r-2)+2fe(r-+i)^_ 2 ^2 



r+1 



" (y + 1)(2(1 - I x (2(l - j / ))m(r+2)+2m(r-l) x ( 2 (1 _ |/ ))m(r-2)+2m(r+l) 

Also, 

m(4Z) - 1 + m(4Z + 2) + 2m(4/ - 1) = 8/ 2 - 1 - 1 + 8/ 2 + 8/ + 1 + 16/ 2 - 8/ 

= 32Z 2 - 1 = m(8l) = m(n) 

m(4i) - 1 + m(4Z - 2) + 2m(4/ + 1) = 8/ 2 - 1 - 1 + 8/ 2 - 8/ + 1 + 16Z 2 + 8/ 

= 32Z 2 - 1 = m(8l) = m(n) 

and 

k{Al) - 1 + k{4l + 2) + 2k{4l - 1) = 6l 2 - 1 + 6/ 2 + 6/ + 1 + 12/ 2 - 6/ 

= 24/ 2 = k(8l) = k(n) 
k{Al) - 1 + k{Al - 2) + 2k{Al + 1) = 6l 2 - 1 + 6/ 2 - 6/ + 1 + 12/ 2 + 6/ 

= 24/ 2 = k(8l) = k(n). 

So 

(a-d) feW / 7 / 7 72 7 72 \\ 

x{2(l - y)) m ( n ) 

Case 2: n = 1 (mod 8) i.e. n = 8/ + 1 for some / G Z. Let r = 4/. 
By definition 

^„ = l/j r +2lpr ~ VV-lV'r+l 

_ (a - rf)fe(r+2)+3fc(r)^ +2 ^3 ( Q _ d) fc(r-l)+3fc(r+l) ^ ^ 
y 4 (2(l - x ))™(r+2)+3m(r) ( 2 (1 - y))m(r-l)+3m(r-+l) ' 

Using the curve equation 

ax 2 + y 2 = 1 + dx 2 y 2 
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gives 

2 (1-y 2 ) (l-y)(l+y) 



(a - dy 2 ) (a - dy 2 ) 

A 



>x 



(l-y) 2 (l + y) 2 



(a — dy 2 ) 2 
so 

_ 4(a - cj)fe(r+2) + 3fc(r) (a _ ^j^g ( Q _ d )fc(r-l)+3fe(r+l) ^ffi^ 
^ n ~~ ( y + 1)2(2(1 - y ))m(r+2)+3m(r)+2 ( 2 (1 - y))m(r-l)+3m(r+l) 

Again, 

fc(4Z + 2) + 3Jfe(40 = 6/ 2 + 6/ + 1 + 18Z 2 = 24/ 2 + 61 + 1 
= k(n) + 1 

k{Al - 1) + 3/c(4Z + 1) = 6Z 2 - 3/ + 18Z 2 + 9/ = 24Z 2 + 61 
= k(n) 



and 



m[Al + 2) + 3m(4/) + 2 = 8/ 2 + 8/ + 1 + 24Z 2 - 3 + 2 = 32/ 2 + 8/ 

= m(n) 

m(4Z - 1) + 3m(Al + 1) = 8/ 2 - 4/ + 24/ 2 + 12/ = 32Z 2 + 8/ 

= m(n). 



Hence 



V>n = (n _ , ^2 r ~ 4>r-i(.ym+i(y) ■ 



4(o - d)(a - dy 2 ) 2 4 i r+2 (y)$(y) 7 ^73 

(y + i) 

Cases 3,. . . 8: n = 2, . . . 7 (mod 8). Similar 



Corollary 7.2 Let P = (x,y) be in E(k) \ {(0, 1)} and let n > 1. TTierc 
P is an n-torsion point of E if and only if ip n (y) = 0. 
Proof: The result follows from Corollary 15.21 and Theorem 17. 11 
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8 Further Facts 

Here are some more facts about the tp. 

Theorem 8.1 tp n (y) £ Z[a,d, y] Vn > 0, and (y + 1) divides V'n(y) if n is even 

Proof: Proof is by induction. The statement is true for n = 0, 1,2,3,4. Now suppose 
it is true for 0, 1, 2, . . . , n — 1: 

Case 1: n = (mod 8) i.e. n = 81 for some / € Z. Let r = 4/. 
Then My) = |M ^ r+2 ( y )^_ i(y) _ $ r _ 2 (y)$ +1 (yj) 

andj/v(y), Vv +2 (y), A-i(y), Vv-2(y), Vv+i(y)_€ Z[a,d,y]. Also, (y + 1) divides 
ip r (y)i Vv+2(y)> and tp r -2(y) by hypothesis. Hence ip n (y) € Z[a, d, y] and (y + 1) divides 

^n(y)- 

Case 2: n = 1 (mod 8) i.e. n = 8/ + 1 for some I € Z. Let r = 4Z. 



Theorem 18.21 and Corollary 18.31 provide results for the degrees of these polynomials 
ip n (y), and Theorem 18.61 shows that the coefficients of the polynomials exhibit a large 
amount of symmetry. 

Theorem 8.2 If char (k) = or 4 • char(k) \ n, then ip n (y) has leading term (term of 
largest degree in y) 




Vv+2(y) by hypothesis. Hence ip n (y) G Z[a,d,y]. 

Cases 3,. . . 8: n = 2, . . . 7 (mod 8). Similar. □ 




where 



( 



n 



2 



i/n 



(mod 8) 



n 



2 



ifn 



4 (mod 8) 



= < 



1 



1,2, or 5 (mod 8) 



— 1 ifn = 3, 6, or 7 (mod 8) 

and m(n), k{n) are as defined in Theorem \7. 1\ 

If char (k) ^ and 4 • char(k) \ n, then deg(ip n (y)) < m{n) — 1 . 
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Proof: Proof is by induction. The statement is true for n = 0, 1,2,3,4. Now suppose 
it is true for 0, 1, 2, . . . , n — 1: 

Case 1: n = (mod 8) i.e. n = 81 for some / G Z. Let r = 41. Then 



=((5(r)d m{r) - fc{r) y m(r) - 2 + ...)x 
[(<5(r + 2)(<5(r - i)) 2 ^ m ('-+ 2 )+ 2m ( r - 1 )- fc ('-+ 2 )- 2fe (''~ 1 ) y m (''+2)+2m(r-i) _|___) 

- (<5(r - 2)(<5(r + i)) 2 d m ( r - 2 )+ 2m ( r + 1 )- fe ( r - 2 )- 2fc ( r+1 )y m ( r - 2 )+ 2m ( r + 1 ) + ...)] 

So, computing the ra's and fc's as in previous proofs, and noting that 

S(r) = ±21, 5{r + 2) = ±1, 6{r - 1) = -1, 
<J(r-2) = Tl, <5(r + l) = 1, 

the leading term is thus 

±2ld m( - n ^ k<yn ^ y m(r )~ 2 (_|-y m ( r + 2 )+ 2m ('"- 1 ) -I- yin(r-2)+2m(r+l)j 
'^nn(n)—k(n) m(n) — l 

~ 2 * 

= <5(n)d m ( n )~ fc<n )y m<n ) -1 . 

The only exception being if char(k) ^ and char(k) \ r, (i.e. if char(k) \ n) in which 
case, deg(ip r (y)) < m(r) — 1 and deg(ip n (y)) < m(n) — 1. 

Case 2: n = 1 (mod 8) i.e. n = 8/ + 1 for some / G Z. Let r = 4Z. 
Then ^ n (y) = «*-W*-4Wp>M(v) _ ^_ l{y) ^ +M . 

The degree (in y) of the first term above is m(r + 2) + 3(m(r) — 1) + 4 — 2 = 32/ 2 + 8/ — 3. 
The degree (in y) of the second term is m(r — 1) + 3m(r + 1) = 32/ 2 + 8/ Thus 
4(a d)(a-dy^ ^^/v +2 (y)Vv fa) cj oes noTj contribute to the leading term which is 

-S(r - l)(S(r + l))3j™(^l)+3m(r+l)-fc(r-l)-3fc(r+l) y 32« 2 +8/ > 

Now, 

S( r - 1) = -1, <5(r + 1) = 1, 6{n) = 1 
A;(r - 1) + 3k(r + 1) = 24/ 2 + 6/ 
m (n) = m(8Z + 1) = 32/ 2 + 8/ - (24/ 2 + 6/) = 8/ 2 + 21. 
So the leading term is = §^ n ) l f n ( n )- k ( n )y m ( n ) ^ as required. 

The only exceptional case is if char(k) ^ and char(k) \ r, in which case deg(ip r (y)) < 
m(r) — 1, but as ip r (y) does not contribute to the leading term, this does not affect the 
result. 

Cases 3,. . . 8: n = 2, . . . 7 (mod 8). Similar. □ 
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Corollary 8.3 If A\n, then deg(ip n (y)) = m(n) where 



( „2 



mini 



if n is odd 



if n is even. 



If 4 | n and char(k) \ n, deg(ip n (y)) = m(n) — 1. 
Otherwise deg(tp n (y)) < m(n) — 1. 



Proof: Immediate from Theorem 18.21 . □ 
The only case where the degree of the polynomial ip n is not known precisely is when 

2 ~ 

4 • char(k) \ n. In any case, \ is an upper bound for deg(ip n )- 

Lemma 8.4 If char(k) =0 or 4 • char(k) \ n, then ip n (y) has final term (term of least 
degree in y) 

e(n)a" 



where 





if 


n # 


(mod 4) 


m(n)—h{n)y 


if 


n = 


(mod 4) 


-f ifn 


= 


(mod 


8) 


§ ifn 


= 4 


(mod 


8) 


1 if n 


= 1 


2, or 3 


(mod £ 


— 1 if n 


= 5 


6, or 7 


(mod I 



e(n) = < 



and m(n), k{n) are as defined in Theorem \7.1\ 

If char {k) ^ and 4 • char{k) \ n, then the term of least degree has degree greater than 

1. 



Proof: Similar to proof of Theorem \K 



□ 



Recall from Theorem 18.11 that ip n (y) = ipn{ a id,y) G Z[a,d, y\. If we write ip n in the 
form 

4> n (a, d, y) = a m(n) y m{n) + a^^y" 1 ^ 1 + • • • + a x y + q 

where m(n) is as defined in Theorem 17.11 (so, in particular, if 4 | n, a m ( ra ) = Qo = 0) and 
Qj G Z[a,d], then we define 



i>* n (a, d, y) := a y m{n) + a iy m(n) 1 + • • • + a m(n) _ iy + a m(n) 
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Lemma 8.5 ip n (a, d, y), considered as a polynomial in a and d (with coefficients in Z[a, d]) 
is homogeneous of degree m{n) — k{n). 

Proof: Proof is by induction using Theorem 17, 11 □ 



Theorem 8.6 Consider tp n (a,d,y) G Z[a, d, y], as a polynomial in three variables. Then 
$ n (a,d,y) = i)* n {-d, -a,y). 

Proof: We can restate this theorem as: If 

$ n (a,d,y) = a m(n) (a,d)y m(n) + a m(n )_ 1 (o, d)y m( - n) ' 1 H h ai(a, d)y + a (a, d) 

then 

tp n (a, d,y) = a (-d, -a)y m[n) +a 1 {-d, -a)y m{n) ~ 1 ^ ha m („)_i(-d, -a)y+a m(n) (-d, -a). 

If E is as defined at the outset, 

E : ax 2 + y 2 = 1 + dx 2 y 2 
and we let E' be the twisted Edwards curve 

E' : dx 2 + y 2 = 1 + ax 2 y 2 

then the birational equivalence (x,y) i— > ^x, maps i£ to and £" to -E. 
Now, 

where 

7 (n) = 

and 



(a - df^My) 
(2(1 - ?/)) m W x 7W 

1 if n is even 
if n is odd 

(d-q) fc W<(y) 
(2(1 - y)) m ( n ) x ^ 



where i/j' n (x,y), il>' n (y) are the relevant functions defined on E'. 
Now, 

1 (d-a) fc (")^(I) 
<(*,-)" 



y y (2(1 - ±)) m (™)x^( n ) 

(a - d) k(n \(-l) m ^- k(n ^y m(n ^' n (^)) 
(2(1 - y)) m i n ) x ^ n ) 
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and by theorem E3 (-l) m W- fc Wj / m ( n )^(i) E Z[o,d,y]. 
By the birational equivalence, for any (x, y) E £7, 



so 



^(»,y) =04»< fa;,^ =0 
= o (-i)-W-^)y-W^(i) = o 



?7 

which gives 

^ n (y) = 

y 

for some t. By comparing leading terms using theorems 18,21 and 18.41 we get t = 1, i.e., 

My) = (1). 

y 

Now, 

i) n (a,d,y) = a m(n) (a,d)y m(n) + a m („)_i(a, d)y m ^ n) ' 1 H h ai(a, d)y + a (a, d) 

and 

= ^m(n){d,a)y m{n) +a m(n )_i(rf,o)i/ m(n) " 1 H h a)y + a (d, a). 

Recall (lemma 1831) that each of the «j is homogeneous in a and d of degree m(n) — /c(n), 

so 

(_l)m(n)-fe(n)^ (aj rf> y) = a?n(n) (_ d; _ a ) yf nW +ajn(n) _ 1 (_ d) _ a ) y m(n)-l + . . _ a)y+ao( _ d; _ a) 

and 

(-^^ (i) = a m(n) (-d, -a) + a m(n) _ 1 (-d 5 -a)y + . . . 

y 

+ ai (-d s -a)y m ^~ l + ao(-d, -a)y m W 
= -a,y). 

Hence, ^ n (a,d,y) = i>*(-d, -a,y). □ 
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9 Another Approach to Division Polynomials 

9.1 Rephrasing the addition laws 

Let (x + ,y + ) = (xi,yi) + (x 2 ,y 2 ), (x-,y-) = (zi,2/i) - {x 2 ,y 2 ) 

Theorem 9.1 



Proof: 



xiy 2 {l - dx 2 ,) + x 2 yi{l - dx{) 
+ 1 — adx\x\ 



(xiy 2 + x 2 yi){l - dx x x 2 y\y 2 ) 

1 - d 2 x\x\y\y\ 
x x y 2 {\ - dx\y\) + x 2 2/i(l - dx\y\) 
1 — d 2 x\x\y\y\ 

x x y 2 {\ - ctelizJIJ) + £22/1(1 - ^lfE^f) 

(1 - + xj) + adxf^)(xiy 2 (l ~ dx\) + x 2 ?/i(l - cfaf)) 

(1 - dxj)(l - dx\) - d 2 x\x\(\ - ax\)(l - ax 2 2 ) 
(1 - d(x\ + xl) + adx\xl)(xiy 2 (l - dx%) + x 2 yi(l - dx\)) 

(1 — d{x\ + x 2 ,) + adx\xl,){l — adxfx 2 .) 
xiy 2 {l - dxf) + x 2 yi(l - dx\) 



1 — adx\ 



X <-) 

□ 

Notes: If ad is a nonsquare in K, it is immediate that the above addition law is complete 
(in the sense of [3]). It is also straightforward to see that 

= £12/2(1 - rfg|) - x 2 yi(l - dx\) 
1 — adx\x\ 

and thus the following theorem holds. 
Theorem 9.2 



2a;ij/2(l - dxi.) 

x + + x_ — 



Analogously: 



2/+ 



1 — adx\x\ 
[a - d)y x y 2 - (a - dyf)(a - dy\)x x x 2 



a - d(y{ + y'i) + dy\y\ 



20 



Proof: 

(2/12/2 - axix 2 )(l + dx\x 2 y\y 2 ) 



y+ 



1 — d 2 x\x\y\y\ 
j/ii/2(l ~ adxjxp - xix 2 {a - dy\y\) 
1 — d 2 x\x\y\y\ 

Vmjjfl ~ dypja - dyp - adjl - yj){l - yp) - x x x 2 ja - dyjypja - dypja - dyp 

ja - dypja - dyp - dy\y\(\ - yp(l - yp 
(a -d)(a- dy\yPyiy 2 - ja - dypja - dypja - dy\yPx x x 2 

ja - dy\ypja - djy\ + yp + dy\yp 
ja - dyyiy? - ja - dypja - dypx x x 2 
a - djy\ + yp + dy\y\ 

ja - d)yxy 2 + ja - dypja - dypx x x 2 



□ 



Thus 



V- 



a - djyf + yp + dy\y\ 



and 

Theorem 9.3 



2(a - d)yiy 2 
V+ + y -~ a- djyf + yp + dy\y\ 



9.2 Recursion formulae 

Motivated by the polynomials studied by Abel in proving his theorem on the re-division 
points of the lemniscate [l] (and see also Cox [4]), we use the above addition formulae to 
derive a new set of polynomials defined by a recursion to specify the nth multiple of a 
point. From here on we denote the x-coordinate of [n]jx,y) by x n , and the y-coordinate 
by 2/n- 



Theorem 9.4 



/ xyP„(x 2 ) -p 

* it n is even 



if 'n is odd 
where P n jt), Q n jt) £ are defined by: 

Fi(t) = 1, Qxjt) = 1, P 2 jt) = 2(1 - dt), Q 2 jt) = 1 - adt 2 
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2(1 - at)(l - dt)P n Q n -iQ n - P n -i((l - dt)Ql - adt 2 (l - at)P 2 ) if n is even 

Pn+i(t) 

2(1 - dt)P n Q n „ x Q n - P n _i(Q2 _ adt 2 P 2 ) ifn is odd 



Qn+l\t) 



Q n -i{{\ — dt)Q\ — adt 2 (l — at)P 2 ) if n is even 
Qn-l(Qn - adt 2 P 2 ) ifn is odd 



Note that (P n +i, Qn+i) is generated by a recursion on (P n , Q n ) and (P n -i, Qn-i)i as 
distinct from the recursions on various polynomials of index ~ 2 as in theorem 17,11 

Proof: By induction on n. The claim is true for n = 1, and, by Theorem 19, 1\ for n = 2. 
Assume the claim is true for n, n — 1. Then, by Theorem 19.21 

2x n y{l - dx 2 ) 



Xn+1 X n —\ 

Case 1: n even 



1 — adx^x 2 



x n +i 



2xy 2 ^{l-dx 2 ) xPn ^ 

1 — adx^y 2 ^- Qn-i 

2xy 2 P n Q n {\ - dx 2 ) _ xP n _i 
Ql - adx^y 2 P 2 Q n _i 
2x{l - ax 2 ){\ - dx 2 )P n Q n xP 7 



n-l 



(1 — dx 2 )Q 2 t — adx 4 (l — ax 2 )P 2 Q n -i 
= a(2(l - ax 2 )(l - dx 2 )P n Q n . x Q n - P n _i((l - dx 2 )Q 2 n - arix 4 (l - ax 2 )P 2 )) 
Qn-i({l-dx 2 )Q 2 -adx\l-ax 2 )P 2 ) 

proving the claim for the case of n being even. 
Case 2: n odd 



2xy^(\-dx 2 ) X yP n ^(x 2 ) 
l-a<fcc 4 5 Q n -i(x 2 ) 
2xyP n Q n (l - dx 2 ) _ xyP n _! 

Qn (idx^ P 2 Qn—1 

xy{2(l - dx 2 )P n Q n -xQ n - Pn_i(g ~ adx 4 P 2 )) 
Q n -i(Q 2 -adx*P 2 ) 
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Proving the claim for the case of n being odd, and thus, by induction, the theorem. □ 
Equally, one could rephrase the previous theorem as a recursion of rational functions. 



Theorem 9.5 



where a n (t) are defined by: 



xya n (x 2 ) if n is even 
xa n (x 2 ) if n is odd 



ai(t) = 1, a 2 (t) 



2(1 - dt) 
1 - adt 2 ' 



a n +i(t) 



2<l-ai)(l-di)a n -i 
(l-dt)-adtHl-at)ai ~ l f U 18 eVEU 



2(l-dt)a n _ 
1-adVai ~ ° !n - 1 



if n is odd 



Proof: Similar □ 
We can also express x n in terms of y, and y n in terms of y or x. For brevity's sake, we 
omit these formulae. 

9.3 Recovering the y coordinate 

The formulae above can be used to perform cc-coordinate-only arithmetic (cf Montgomery 
ladder, [7]). For this purpose, we manipulate Theorem 19.11 and the analogous result for y + 
to get 

Theorem 9.6 

x n -x(l — adx 2 x 2 l ) + x n y(l — dx 2 ) 



x(l — dx 2 ) 

y n _i(a - d(y 2 + y 2 ) + dy 2 y 2 n ) - (a - d)yy n 



(a - dy 2 )(a - dy 2 n ) 

Proof: Immediate from 

2:12/2(1 - dx 2 .) + x 2 yi(l - dx\) 



x + 



1 — adxfx 2 

and 



y+ 



(a - d)yiy 2 - (a - dy\){a - dy\)x\x 2 



a - d{y'{ + y'i) + dy\y\ 



□ 
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